BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA CVE-2026-1731 (CVSS 9.9)

Estimated Reading Time: 6 minutes

Key Takeaways:

  • CVE-2026-1731 allows unauthenticated remote code execution (RCE) on BeyondTrust PRA and Remote Support solutions.
  • Approximately 11,000 instances are exposed globally, with 8,500 being high-risk on-premises deployments.
  • The vulnerability was identified using AI-enabled variant analysis, highlighting a shift in vulnerability discovery.
  • New ransomware families like Reynolds are integrating kernel-level drivers to disable security software.

Table of Contents:

  1. BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability
  2. Affected Versions and Remediation
  3. The Role of AI in Vulnerability Discovery
  4. Contextualizing with Ivanti EPMM Zero-Days
  5. The Rise of Reynolds Ransomware and BYOVD Tactics
  6. Intelligence from the Underground
  7. Technical and Non-Technical Takeaways
  8. PurpleOps Expertise and Services
  9. Final Analyst Summary
  10. Frequently Asked Questions

BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA

BeyondTrust has released security updates to address a critical vulnerability, CVE-2026-1731, affecting its Privileged Remote Access (PRA) and Remote Support solutions. This vulnerability allows for unauthenticated remote code execution (RCE) via an operating system command injection. Analysis indicates that an attacker can send specially crafted requests to an exposed instance to execute commands within the context of the site user.

This type of flaw is particularly significant because it does not require valid credentials or prior access to the system, placing the central management of privileged credentials at immediate risk. The identification of CVE-2026-1731 (CVSS 9.9) represents a major shift in the targeting of administrative infrastructure. BeyondTrust confirmed that successful exploitation permits unauthorized access, data exfiltration, and the potential for complete service disruption.

“Because Privileged Remote Access tools are designed to manage and gateway access to an organization’s most sensitive assets, an unauthenticated RCE in this software provides a direct path for attackers to compromise the entire internal network.”

Affected Versions and Remediation

The scope of CVE-2026-1731 includes:

  • Privileged Remote Access (PRA): Versions 24.3.4 and prior.

BeyondTrust has provided the following patches:

  • Privileged Remote Access: Patch BT26-02-PRA, version 25.1.1 or later.

Self-hosted customers are required to manually apply version 25.1.1 to remediate the flaw. Until these patches are applied, the 8,500 on-premises instances remain susceptible to unauthenticated command injection.

Vulnerability alert showing BeyondTrust remote access risk

The Role of AI in Vulnerability Discovery

The use of AI-driven tools to find CVE-2026-1731 indicates a transition in how both researchers and threat actors identify entry points. Variant analysis automated by AI can scan large codebases to find weaknesses that traditional manual auditing might overlook. For organizations, this means the window between vulnerability discovery and active exploitation is narrowing.

Threat actors utilize similar automation to identify targets globally, often using a cyber threat intelligence platform to track exposed infrastructure in real-time. The discovery of 11,000 exposed instances demonstrates the scale of the attack surface for PAM (Privileged Access Management) tools. When these tools are internet-facing, they become “edge devices” that bridge external networks with secure internal segments.

Contextualizing with Ivanti EPMM Zero-Days

The BeyondTrust flaw is part of a broader trend of targeting management platforms. Recently, the European Commission, the Dutch Data Protection Authority (AP), and Finland’s Valtori agency reported breaches linked to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). These vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340 (both with CVSS 9.8), allowed for unauthenticated code injection.

In the case of the European Commission, the breach was identified on January 30, 2026. While the Commission stated that no mobile devices were compromised, attackers accessed staff names and phone numbers. These incidents indicate that even if an RCE does not lead to a full network takeover immediately, the initial breach detection often reveals significant data exposure through the management platform itself.

The Rise of Reynolds Ransomware and BYOVD Tactics

While BeyondTrust and Ivanti vulnerabilities focus on initial access, new ransomware families like “Reynolds” are changing how they maintain persistence. Reynolds, which appears to be a spinoff or rebrand of the Black Basta group, has been observed using “Bring Your Own Vulnerable Driver” (BYOVD) techniques.

In a BYOVD attack, the ransomware payload includes a legitimate but vulnerable Windows driver. The Reynolds ransomware specifically bundles the NsecSoft NSecKrnl driver, which contains a medium-severity vulnerability (CVE-2025-68947). By deploying this driver, the ransomware gains kernel-level access to the operating system, allowing it to terminate Endpoint Detection and Response (EDR) processes.

By integrating the driver into a single payload, Reynolds reduces the number of files dropped on a system, which can help bypass certain types of breach detection and static file analysis. This integration speeds up the attack, leaving a smaller window for security teams to intervene.

Intelligence from the Underground

Threat actors are increasingly discussing these types of vulnerabilities on hidden forums. Underground forum intelligence shows a high demand for unauthenticated RCEs in enterprise software like BeyondTrust and Ivanti. Additionally, telegram threat monitoring has revealed that specialized “initial access brokers” often sell access to compromised PAM and MDM instances to ransomware affiliates.

For organizations, staying ahead of these threats requires more than just reactive patching. Utilizing a dark web monitoring service can help identify if corporate credentials or internal system details are being traded. Furthermore, a live ransomware API can provide technical teams with the latest signatures and behavioral patterns used by groups like Reynolds.

Technical and Non-Technical Takeaways

For Technical Teams:

  • Prioritize Patching: Immediately update BeyondTrust PRA and Remote Support to version 25.1.1 or later.
  • Restrict Access: Ensure that PAM and MDM interfaces are not exposed to the public internet. Use VPNs or Zero Trust Network Access (ZTNA).
  • Driver Blocklisting: Implement Microsoft’s Vulnerable Driver Blocklist to prevent BYOVD attacks.
  • Log Monitoring: Audit logs for unusual OS command execution patterns originating from the site user context.

For Business Leaders:

  • Inventory Management: Maintain an accurate inventory of all internet-facing management tools.
  • Incident Response Planning: Update playbooks to include scenarios where administrative tools are compromised.
  • Investment in Intelligence: Utilize real-time ransomware intelligence to understand industry-specific threats.
  • Brand Protection: Set up brand leak alerting to monitor for leaked employee data.

PurpleOps Expertise and Services

The current threat environment requires a multi-layered approach to security. PurpleOps provides the tools and expertise necessary to navigate these challenges. Our Cyber Threat Intelligence services provide organizations with the data needed to identify emerging threats before they result in a compromise.

When critical vulnerabilities like CVE-2026-1731 are disclosed, our team can perform Penetration Testing to simulate how an attacker might exploit these flaws. For organizations concerned about edge device exploitation, PurpleOps offers specialized Supply Chain Information Security assessments.

Furthermore, our Dark Web Monitoring services track activity on underground forums. To prevent the impact of groups like Reynolds, our Protect Against Ransomware services focus on detecting and neutralizing the tools used for defense evasion.

For more information, please visit our Services page or Contact PurpleOps directly.

Final Analyst Summary

The disclosure of CVE-2026-1731 in BeyondTrust represents a high-priority risk. The ability for an unauthenticated attacker to execute commands bypasses primary security controls. Combined with the exploitation of Ivanti EPMM and the development of BYOVD techniques in Reynolds ransomware, it is clear that attackers are focusing on the administrative tools themselves to gain unimpeded access to corporate networks.

Frequently Asked Questions

What is CVE-2026-1731?
It is a critical pre-authentication remote code execution (RCE) vulnerability affecting BeyondTrust Privileged Remote Access and Remote Support, allowing attackers to execute commands without valid credentials.

How many instances are currently at risk?
Approximately 11,000 instances are exposed to the internet, with 8,500 of those being on-premises deployments that require manual patching.

What is the recommended fix for BeyondTrust PRA?
Organizations should immediately apply patch BT26-02-PRA and update to version 25.1.1 or later.

What is a BYOVD attack?
“Bring Your Own Vulnerable Driver” is a technique where attackers deploy a legitimate but vulnerable driver to gain kernel-level access and disable security software like EDR.

Who is the Reynolds ransomware group?
Reynolds is a suspected spinoff of the Black Basta group known for integrating vulnerable drivers directly into their ransomware payloads to evade detection.